[GoldSource] NET_QueuePacket vulnerable to ddos attack

ValveSoftware / halflife

Half-Life 1 engine based games

Other

3.74k stars 631 forks source link

[GoldSource] NET_QueuePacket vulnerable to ddos attack #2144

Open SkillartzHD opened 5 years ago

SkillartzHD commented 5 years ago

In NET_QueuePacket there's this

if (in_message.cursize < 9)
{
Con_NetPrintf("Invalid split packet length %i\n", in_message.cursize);
}

how to access NET_QueuePacket with socket.sendto

0xFE = length 0 0xFEFF= length 1 0xFEFFFF= length 2 0xFEFFFFFF= length 3 …… 0xFEFFFFFFFFFFFFFF= length 8 (max) dadada

The problem is not in that spam made by Con_NetPrintf, even if you remove that printf, it still comes and still creates that server side lag

Solution: checking using socket.recvfrom in the server if 0xFE is then sent return

RauliTop commented 5 years ago

@mikela-valve Another potential security breach that must be fixed in the Next release.

Issue seems easy to fix.

As a reference: https://github.com/dreamstalker/rehlds/pull/652

SkillartzHD commented 5 years ago

@RauliTop this is not enough

metita commented 5 years ago

@mikela-valve This one is happening a lot too and still harming a lot of servers but there is not a real workaround unless using ReHLDS which won't fix it at all as @SkillartzHD said.

RauliTop commented 5 years ago

@mikela-valve This one is happening a lot too and still harming a lot of servers but there is not a real workaround unless using ReHLDS which won't fix it at all as @SkillartzHD said.

Exploit it's fixed at all in dproto and reunion. Or am I wrong?